I found a lot of lines (~900) similar to these in the last output of one of my hosts:
trustpor ftpd31576 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
trustpor ftpd31575 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
trustpor ftpd31574 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
trustpor ftpd31573 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
trustpor ftpd31572 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
trustpor ftpd31571 www.trustport.co Tue Oct 1 10:03 - 10:03 (00:00)
That user doesn't exist, and I can't understand the second column meaning (tty ok, but what are those ftpd* in detail?).
Example of /var/log/auth.log:
Oct 1 22:20:06 kermis proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd12006 ruser=trustportpro.download rhost=www.trustport.com
Oct 1 22:20:09 kermis proftpd: pam_unix(proftpd:auth): check pass; user unknown
I also add lastb output (empty):
btmp begins Tue Oct 1 06:52:36 2013
System logs show failed attempts to login with that user, but if those are failed, why do they appear in the last output? What could this be, some sort of external attack? How can I track this down on my system?
